Once the latest updates were identified, the following procedures were performed to identify security updates and their severity:
- Combined updates with Agile data to get “Fixes & Enhancements” information for each update.
- Applied regulation expression to extract CVEs from the “Fixes & Enhancements” feature (if any CVE exists).
- Counted the number of CVEs for each update.
- Joined with NVD data to obtain the security score and severity for each CVE.
- If a security update had more than one CVE, the ADSE team applied a “Max” function to find the CVE with the highest security score and used that score as the security score for the given update. This rule complies with the standards of the security industry. For example, a given security update could have 2 CVEs. If one update has a security score at 6.5 and the other at 8.6, the algorithm will use 8.6 as the security score for that update.
- Applied a keyword search using NVD data to identify CVEs to determine if a given CVE is from Dell.